Azure Security Cheat Sheet


Cybersecurity is a concern for everyone today as more and more workloads are connected in a way or another, meaning exposed in a way or another. When it comes to the Cloud, things turn wilder as PaaS, CaaS, FaaS and even IaaS to some extent, represent a paradigm shift. Organizations tend to rely on good old recipes that are perfectly suitable for traditional on-premises systems but not especially a good fit for the Cloud, even when talking IaaS, since the underlying network plumbing does not have much in common with on-premises networks. Moreover, insiders represent a severe security risk but some organizations still think their premises is way more secure than the Cloud, just because, it is within the walls.

That said, I don’t want to start a debate but rather to sum up what is available in Azure to build secure architectures. It is probably not exhaustive but these are the most common tools with a short recap of their purpose.

  • Virtual Networks aka VNET. These are the easiest way to isolate components from the internet or at least to control inbound traffic to any resource belonging to the VNET. VNETs can be peered with each other and have a connectivity to on-premises via S2S VPN or ExpressRoute. More and more PaaS components integrate with VNETs. Service endpoints also allow you to restrict some services (Azure SQL, Storage) to VNET-only resources. Also, make sure to provision VMs with private IPs only when to manage them from your premises but of course, you’ll need either S2S VPN, either ExpressRoute. P2S is also possible but discouraged.
  • NSG (Network Security Groups) & ASG (Application Security Groups): both help dealing with inbound and outbound traffic within a subnet and/or VMs. ASG improves the way you apply these rules by minimizing the required number of NSGs. Best practices: apply NSG at subnet level, avoid applying them at VM level. Make sure your logical split between subnets is clean, that will ease the configuration of NSG.
  • Basic DDOS Protection Plan: applies by default to every VNET. Basic DDOS is aimed at protecting every public ip address. So key take away here, put everything you can inside a VNET to benefit from this built-in protection
  • Standard DDOS Protection Plan: must be enabled at VNET level. On top of the basic protection, one get additional protection that is more specific to the environment. Standard DDOS makes use of ML behind the scenes to improve the level of protection.
  • There are plenty of network artifacts (public ip, private ip, load balancers, traffic manager, route tables, etc.) which should be taken care of but are not “per se” safeguards on their own.
  • Application Gateway: Layer 7 WAF with built-in protection against OWASP TOP 10 most common attacks
  • NVA (Network Virtual Appliances): this one is not out of the box. Traditional vendors published NVAs to the Azure Marketplace. Not sure using these is in-line with the paradigm shift I mentioned earlier. However, using at least one (for instance to control inbound/outbound traffic to your premises) will probably make your customer sleep better at night.
  • Azure API Management: allows any organization to build and expose APIs in a consistent manner. Thanks to policies, one can define rules that will inspect every incoming request and discard non-compliant ones. APIM comes with plenty of ways to secure APIS (JWT policies, Client Certificates, Subscription Keys) etc. which can be combined and can be (premium tier) integrated with VNET in External and Internal modes. The Products — APIs — Operations structure makes it easy to define the bare minimal security requirements via policies at product level to let all APIs inherit from that.
  • Azure Key Vault: based on a HSM, Key Vault is definitely where any sensitive information (secrets, encryption keys, certificates) should be stored. Key Vault is definitely a first-class citizen in the Azure security story.
  • ASE (App Service Environment) is a way to leverage typical App Services with only private IPs (note that there is also a public ASE). On top of security concerns, ASE come with enhanced performance.
  • Encryption comes with everything in Azure. Always Encrypted is a feature you should turn on for every database. Azure Key Vault can also be used to encrypt content from APIs where encryption can take place in Azure (private keys never leave the vault) or in-code via key-wrapping techniques. In short, hybrid encryption (RSA+Symetric) is made easy.
  •  RBAC (Role Based Access Control) is also a first-class citizen since it allows to control the access to various resources in a very granular way. Therefore, a good logical organization (number of subscriptions, resource groups etc.) is important to optimize the use of RBAC.
  • Azure PIM (Privileged Identity Management): this guy helps granting roles for a limited amount of time, in order to avoid having too many people with too much permissions.
  • Azure Active Directory Applications are also a very good way to protect custom-built APIs and to grant access to SaaS APIs such as the Graph API (but plenty of others too).
  • EMS (Enterprise Mobility Suite) allows for very advanced conditional access rules, multi-factor auth, RMS, etc.
  • Azure MSI is a great way to keep credentials out of code and basically out of any configuration file. The App Service benefits from a system identity that can be used to request tokens to any resource. Of course, the system SPN should be granted permissions over those resources prior to using MSI from the App Service. Talking of code, it is clearly when security starts. Having a proper automation system running code security checks (quality gates) early in the development lifecycle is key. With agile development, pen test is not the most cost effective solutions, given the very frequent number of releases. Therefore, relying on source code security scanners is key. Also basic things such as checking the security of an API post-deployment is key (you can have a look at the API Security Checker here )
  • Azure Security Center: this guy will highlight everything resource that is not well secured and which could potentially lead to security troubles. You can see it as your security dashboard. It will also enables features such as JIT (just in time access) which basically opens management ports only when needed and closed them automatically to reduce the attack surface of VMs.

On top of the above, Azure ships with different monitoring tools that help supporting a proper governance as well as detecting potential security issues. These tools range from the Log Analytics, Azure Monitor, Azure Advisor, etc. to Azure Policies. So, as you can see, there are many different tools to build secure solutions in Azure. There is no one size fits all but often combining a few of these guys should do the job!

Happy Security!


About Stephane Eyskens

Office 365, Azure PaaS and SharePoint platform expert
This entry was posted in Azure and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s